Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Version History

« Previous Version 10 Next »

Contents

Minimum Network Connectivity Requirements

Controls Family

High
Restricted Data

Medium
Sensitive Data

Low
Non-Confidential Data

IS-3 Requirement

Required for Insurance

1. Access control measures for controlled electronic information resources

Required

Required

Required

III.C.2.b
IV.A

 

2. Encrypted transmission of restricted data including passwords

Required

Required

Required

III.C.2.b.i
III.C.2.g
IV.B

 

3. Software updates / patch management

Required

Required

Required

 

 

4. Malicious software protection (III.C.2.c.iii; IV.D)

Required

Required

Required

(III.C.2.c.iv
IV.C)

 

5. Removal of unnecessary services

Required

Required

Required

IV.E

 

6. Host-based firewalls

Required

Required

Required

III.C.2.d
IV.F

 

7. No unauthorized email relays

Required

Required

Required

IV.G

 

8. No unauthorized, unauthenticated proxy servers

Required

Required

Required

IV.H

 

9. Physical security and session timeout

Required

Required

Required

III.C.2.b.ii
III.C.3.b
IV.I

 

Administrative Controls

Controls Family

High
Restricted Data

Medium
Sensitive Data

Low
Non-Confidential Data

IS-3 Requirement

Required for Insurance

Risk assessment, asset inventory and classification; Identification of systems storing and accessing data (III.B)

Required

Recommended

Recommended

 

 

Formal proprietor authorization for sharing data (III.C, 4th paragraph)

Required

Recommended

Optional

 

 

Procedures to inform staff of information security responsibilities. (III.C.1.a)

Required

Required

Required

 

 

Procedures for providing privileged accounts, review of personnel assignments for appropriate classification, security responsibilities, and separation of duties (III.C.1)

Required

Recommended

Optional

 

 

Background checks (III.C.1.b; III.F)

Required

Recommended

Optional

 

 

Third party agreements with data security language (III.F)

Required

Recommended

Optional

 

 

Take appropriate personnel/disciplinary action for violations of law or policy (III.C.1.c)

Required

Required

Required

 

 

Education and security awareness training (III.E)

Required

Recommended

Recommended

 

 

Operational Controls

Controls Family

High
Restricted Data

Medium
Sensitive Data

Low
Non-Confidential Data

IS-3 Requirement

Required for Insurance

Secure and accountable means of authorization and authentication (III.C.2.a)

Required

Required

Optional

 

 

Prompt modification or termination of access or access levels in response to authorization changes (III.C.1)

Required

Required

Optional

 

 

Password guidelines and password vulnerability assessment (III.C.2.b.i)

Required

Required

Required

 

 

Delete, redact or de-identify data whenever possible (III.C,
third paragraph)

Required

Recommended

Optional

Do not store data on portable devices (III.C.3.e)

Required

Recommended

Optional

 

 

Incident response planning and notification procedures (III.D)

Required

Required

Required

 

 

Access and activity audit and logging procedures, including access attempts and privileged access (III.C.2.b.iii; III.C.2.f; Appendix D)

Required

Required for financial instruments; otherwise recommended

Optional

 

 

Application security:
System and application development standards, application vulnerability assessment (test, development, and production)(II I.C.2.c.v)

Required

Required

Recommended

 

 

Authorized, documented change management procedures (III.C.2.e)

Required

Recommended

Optional

 

 

Backup systems supporting essential activities (III.C.2.c.ii)

Required

Required

Required

 

 

Technical Controls

Controls Family

High
Restricted Data

Medium
Sensitive Data

Low
Non-Confidential Data

IS-3 Requirement

Required for Insurance

Network firewalls and IDS/IPS (III.C.2.d)

Required

Recommended

Optional

 

 

Encryption:

  • stored data (III.C.2.g; Appendix E)
  • transmitted data (III.C.2.g; Appendix E)
  • backups where physical security is at risk (III.C.2.c.ii;
    Appendix E)
  • protective measures such as encryption for data on portable devices and media (III.C.2.g; (III.C.3.e)
  • appropriate encryption key management to ensure the availability of encrypted authoritative information (III.C.2.g; Appendix E)

Required

Recommended

Optional

 

 

Ensure proper user authentication and authorization for users and administrators on all systems (III.C.2.b)

Required

Required

Recommended

 

 

Centralized log management, alerting on improper activity, and log retention (III.C.2.b)

Required

Recommended

Optional

 

 

Physical Controls

Controls Family

High
Restricted Data

Medium
Sensitive Data

Low
Non-Confidential Data

IS-3 Requirement

Required for Insurance

Physical access controls; Facility access controls (III.C.3.b)

Required

Required

Required

 

 

Disposal and re-use:
Securely remove or destroy data before equipment or electronic media is re-deployed, recycled or disposed (III.C.3.d)

Required

Required

Recommended

 

 

Physical security for portable devices and media (III.C.3.e)

Required

Recommended

Optional

 

 

Track reassignment or movement of devices and stock inventories, including financial instruments, such as check stock and produced checks (III.C.3.c)

Required

Required for financial instruments; otherwise recommended

Optional

 

 

Document repairs and modifications to physical components of the facility related to security, such as hardware, walls, doors, and locks (III.C.3.c)

Required

Required for financial instruments; otherwise recommended

Optional

 

 

Disaster Recovery and Business Continuity Plan (III.C.3.a)

Required

Recommended

Optional

 

 
  • No labels